Date breach due to saving password on chain
Summary
Data on blockchain is public and can be accessed by anyone by querying the smart contract storage or by checking the transaction details. Storage of sensitive data like passwords on chain might lead to data breach.
Vulnerability Details
Data stored on the blockchain, even if designated as private, remains potentially obtainable through queries to the smart contract's storage or examination of transaction details. Utilizing plain text for storing passwords on the blockchain is an inadvisable strategy, as it exposes this sensitive information to potential hackers. Moreover, even when employing encrypted storage on the blockchain, there persists a risk that malicious entities could retrieve the encrypted password and, potentially, subject it to decryption via brute force techniques.
Impact
This is a high severity issue as it might lead to data breach
Tools Used
Manual code review
Recommendations
should not store passwords on chain
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.